Hide Forgot
Description of problem: The current installation guide (Revision 2-16) mentions that self-signed CA certificate could be created with genkey. ---- Acquire a root certificate and private key. You can purchase one from a certificate authority (CA), or you can generate your own using a tool like genkey, which can be found in the crypto-utils package in Red Hat Enterprise Linux. ---- It'd be better describe concrete steps to do that. And, instead of genkey, using openssl command would be better because SSL keys are generated with openssl command in the following steps. Here's a concrete example of creating self-signed CA cert with openssl. ----------- How to generate a self-signed CA cert and private key in: /etc/pki/CA/certs/rhui-ca.crt /etc/pki/CA/private/rhui-ca-key.pem # cat <<EOF > ssl.conf [ req ] prompt = no distinguished_name = dn [dn] CN=RHUI2.0 Self Cert CA ST=California C=US EOF # openssl req -batch -config ssl.conf -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /etc/pki/CA/private/rhui-ca-key.pem -out /etc/pki/CA/certs/rhui-ca.crt # echo 10 > /etc/pki/CA/certs/rhui-ca.srl Note: The [dn] entry and -days option (asn expiration term) should be apporpriately customized. -----------
This is how QE does it... export rhua=<rhua-internal-FQDN> export cds1=<cds01-internal-FQDN> export cds2=<cds02-internal-FQDN> mkdir -p /root/pem pushd /root/pem echo 10 > ca.srl openssl req -new -x509 -extensions v3_ca -keyout ca.key -subj "/C=US/ST=NC/L=Raleigh/CN=$rhua CA" -out ca.crt -days 365 openssl genrsa -out server.key 2048 for server in $rhua $cds1 $cds2 ; do echo -ne "\n\n\n## $server\n==" openssl req -new -key server.key -subj "/C=US/ST=NC/L=Raleigh/CN=$server" -out $server.csr || break openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in $server.csr -out $server.crt || break done
FWIW, I think this is a WONTFIX. I don't think we need or should tell people how to do this. Everyone is going to do it a little differently (as we've already seen). I think this is cursory information, we don't need to provide the exact steps. Kind of like we don't tell people what LVM commands to run to setup partitions, etc. I think it would be sufficient to say something like "go read openssl docs if you want to know how to do this". Again, assuming they even want to use openssl to do it.
I agree it's up to the documentation team whether the exact/concrete steps should be included. However, from the current description, it's hard to understand, at first glance, that I have to prepare SSL key/cert file pairs for each of RHUA and CDS's corresponding to "rhua.key/rhua.crt" and "cds1.key/cds1.crt" in "3.2. Answers File". I think it should be stated that the generic "server.key/server.crt" in "Procedure 3.1. Configuring SSL Certificates" correspond to "rhua.key/rhua.crt" and "cds1.key/cds1.crt" in "3.2. Answers File". * Procedure 3.1. Configuring SSL Certificates http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/chap-Installation_Guide-RHUI_Installer.html#sect-Installation_Guide-RHUI_Installer-Setting_up_SSL * 3.2. Answers File http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/sect-Installation_Guide-RHUI_Installer-Answers_File.html
This is handled in the services deployment guide.